DRUPAL-CONTRIB-2025-049

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies/DRUPAL-CONTRIB-2025-049.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-049

Aliases

CVE-2025-47703

Published

2025-05-07T17:06:36Z

Modified

2025-12-10T23:41:32.283918Z

Summary

[none]

Details

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

The cookies_asset_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

References

https://www.drupal.org/sa-contrib-2025-049

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/cookies

Package

Name: drupal/cookies
Purl: pkg:composer/drupal/cookies

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.14

Database specific

{
    "constraint": "<1.2.14"
}

Database specific

affected_versions

"<1.2.14"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies/DRUPAL-CONTRIB-2025-049.json"